search

PaloAltoNetworks / pan-os-ansible

Ansible collection for easy automation of Palo Alto Networks next generation firewalls and Panorama, in both physical and virtual form factors.
https://pan.dev/ansible/docs/panos
Apache License 2.0
204 stars 97 forks source link

When using state "merged" in panos_security_rule if there is an existing rule with an existing group_profile the job fails #563

Closed mbar01 closed 1 month ago

mbar01 commented 5 months ago

Describe the bug

If there is an existing security policy in place and you want to update that security policy using the merged state the job fails if there is an existing group_profile and the group_profile is specified in your playbook/role.

- name: Create security policy
  paloaltonetworks.panos.panos_security_rule:
    provider: '{{ provider }}'

    rule_name: '{{security_policy_rule_name}}'
    rule_type: 'universal'

    source_zone: ['external']
    source_ip: '{{security_policy_source}}'

    destination_zone: ['internal']
    destination_ip: '{{security_policy_destination}}'

    service: 'service-{{service_port}}'

    application: '{{security_policy_applications}}'
    category: '{{name_url}}'

    log_start: true
    log_end: true

    group_profile: 'corp-profile-group'
    log_setting: 'syslog-log-forwarding-profile'

    action: 'allow'
    tag_name: '{{security_policy_tags}}'
    group_tag: '{{security_policy_group_tag}}'
    device_group: '{{security_policy_device_group_name}}'
    state: '{{cfg_status}}'

Fails with the below error:

fatal: [localhost]: FAILED! => changed=false msg: 'Failed update group: At most 1 occurrence is allowed for group/member'

For example I have a playbook that defines group profile and if it creates a new rule with state present it works fine, now for example I want to add more source IPs to the rule. If I run the same job again with new source IPs then the job fails. If I comment out the group_profile parameter and rerun the job it works fine, but I don't want to have to edit that parameter every time an update is made.

Expected behavior

The job should complete successfully with group_profile specified especially when the group profile name is the exact same as what is currently in the rule.

Current behavior

I have a playbook that defines group profile and if it creates a new rule with state present it works fine. Now, for example, I want to add more source IPs to the rule. If I run the same job again with new source IPs then the job fails with the above error.

If I comment out the group_profile parameter and rerun the job it works fine, but I don't want to have to edit that parameter every time an update is made.

Possible solution

Steps to reproduce

  1. Create playbook to create a security policy that has a group_profile assiged
  2. Run the job to create the rule
  3. Rule is now created
  4. Re-run the same job with, for example, new source IPs and change the state from present to merged
  5. Job will fail with msg: 'Failed update group: At most 1 occurrence is allowed for group/member'

Context

Your Environment